Hello friends i am creating simple portfolio site, where admin username and password are neither salted or used md5 but plain text. 'login.php' page is 'unguessable.php' page. Is this ok for simple site ?
if(isset($_POST['btnCreateAccount']))
{
$Error->blank($_POST['username'], 'Username');
$Error->blank($_POST['password'], 'Password');
$Error->blank($_POST['level'], 'Level');
$Error->email($_POST['email']);
if($Error->ok())
{
$u = new User();
$u->username = $_POST['username'];
$u->email = $_POST['email'];
$u->level = $_POST['level'];
$u->setPassword($_POST['password']);
$u->insert();
redirect('users.php');
}
else
{
$username = $_POST['username'];
$email = $_POST['email'];
$level = $_开发者_开发百科POST['level'];
}
}
else
{
$username = '';
$email = '';
$level = 'user';
}
This form should be run over SSL (HTTPS) to avoid the passwords becoming compromised in transit.
You should NEVER store passwords in plain text. What does User->setPassword()
do? Does it just assign the value of your password to some property that gets stored to your database when ->insert()
is called? Why not just salt and md5 the password within this routine?
If your database were to be compromised, the passwords you reveal may not have been chosen by your users specifically for your own system - so you might be causing a wider security issue.
精彩评论